 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
tbonge
How do I cheat?
![]() Reputation: 0
Joined: 25 Apr 2018
Posts: 4
|
 Posted: Thu Apr 26, 2018 8:02 am Post subject: How to find the address for constant loaded into ebp? |
 |
|
The game I am working on has energy weapons that each have a max charge constant. I found the code that recharges the weapon. I want to change the max charge constant but can't find the address it loads it from.
I can change the current charge to be higher than the max charge but then the weapon shows 100 shots left out of 50 total. While it works I would prefer the max level not to be less than the current level.
Here is the code that recharges the weapon.
| Code: | 7FF7B149AD95 - test eax,eax
7FF7B149AD97 - jne 7FF7B149ADAC
7FF7B149ADAC - add [rbx+00000620],ebp |
[rbx+00000620] is the pointer to the weapons current charge level. It appears to be adding ebp to it which I assume contains (max charge - current charge) to set the weapon back to full charge.
How can I find where it loads the value into ebp so I can locate the constant for the max charge level and change it?
Here is the full assembly trace for the recharge routine:
| Code: | 7FF7B149AD7F - push rdi
7FF7B149AD80 - sub rsp,20
7FF7B149AD84 - movzx edi,r8l
7FF7B149AD88 - mov ebp,edx //is edx a pointer to the location i want? how to find it?
7FF7B149AD8A - mov rbx,rcx
7FF7B149AD8D - xor sil,sil
7FF7B149AD90 - call 7FF7B14AA730
7FF7B14AA730 - push rbx
7FF7B14AA732 - sub rsp,20
7FF7B14AA736 - mov rbx,rcx
7FF7B14AA739 - call 7FF7B14B72F0
7FF7B14B72F0 - mov [rsp+08],rbx
7FF7B14B72F5 - push rdi
7FF7B14B72F6 - sub rsp,20
7FF7B14B72FA - mov rdi,[rcx+00000520]
7FF7B14B7301 - xor ebx,ebx
7FF7B14B7303 - test rdi,rdi
7FF7B14B7306 - je 7FF7B14B7354
7FF7B14B7354 - movzx eax,bl
7FF7B14B7357 - mov rbx,[rsp+30]
7FF7B14B735C - add rsp,20
7FF7B14B7360 - pop rdi
7FF7B14B7361 - ret
7FF7B14AA73E - test al,al
7FF7B14AA740 - je 7FF7B14AA74D
7FF7B14AA74D - cmp qword ptr [rbx+000005A0],00
7FF7B14AA755 - mov [rsp+30],rdi
7FF7B14AA75A - je 7FF7B14AA77E
7FF7B14AA77E - mov eax,[rbx+00000620] //mov current weapon charge level to eax
7FF7B14AA784 - mov rdi,[rsp+30]
7FF7B14AA789 - add rsp,20
7FF7B14AA78D - pop rbx
7FF7B14AA78E - ret
7FF7B149AD95 - test eax,eax
7FF7B149AD97 - jne 7FF7B149ADAC
7FF7B149ADAC - add [rbx+00000620],ebp //recharge weapon to full
7FF7B149ADB2 - call 7FF7B14B9E30
7FF7B14B9E30 - push rbx
7FF7B14B9E32 - sub rsp,20
7FF7B14B9E36 - mov rax,gs:[00000058]
7FF7B14B9E3F - mov ecx,[7FF7B4993230]
7FF7B14B9E45 - mov edx,00000018
7FF7B14B9E4A - mov rcx,[rax+rcx*8]
7FF7B14B9E4E - mov eax,[rdx+rcx]
7FF7B14B9E51 - cmp [7FF7B46E15E0],eax
7FF7B14B9E57 - jg 7FF7B14B9E66
7FF7B14B9E59 - lea rax,[7FF7B46E15D8]
7FF7B14B9E60 - add rsp,20
7FF7B14B9E64 - pop rbx
7FF7B14B9E65 - ret |
|
|
| Back to top |
|
 |
ParkourPenguin
I post too much
 Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Apr 26, 2018 10:08 am Post subject: |
|
|
edx is probably a parameter. Look at the call(s) to that subroutine and see where the argument is coming from.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
tbonge
How do I cheat?
![]() Reputation: 0
Joined: 25 Apr 2018
Posts: 4
|
| Posted: Thu Apr 26, 2018 10:26 am Post subject: |
|
|
Thank you. I just started using CE 2 days ago, how do I go about finding what calls this subroutine?
Do I use what access this address on 7FF7B149AD88 - mov ebp,edx?
Is there a way to see the value of edx in the trace or would it just be the same as rdx?
Thanks, I appreciate it.
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 140
Joined: 06 Jul 2014
Posts: 4289
|
| Posted: Thu Apr 26, 2018 11:21 am Post subject: |
|
|
Set the break and trace on the write ("add [rbx+00000620],ebp"), check "step over instead of single step," and set the trace count appropriately (between a few hundred and 1000 is usually adequate). The next time the game executes that instruction, the treeview in the trace window should get populated.
Right click on the treeview and select "Expand All". The first instruction you see should be the write (you might need to scroll a bit), and further down there should eventually be a ret instruction. The ret instruction is at the end of a treeview node, and the next instruction in the parent treeview node should be the instruction after the call to the subroutine the write was a part of. If you double click on that instruction, it will go to that address in the disassembler. Scroll up and you should see the instruction that called the subroutine to run. Above that should be whatever instruction stored a value into edx.
This topic has a little more information on backtracing.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
tbonge
How do I cheat?
![]() Reputation: 0
Joined: 25 Apr 2018
Posts: 4
|
| Posted: Thu Apr 26, 2018 11:24 am Post subject: |
|
|
| Excellent, thanks so much! I will try this when I get home tonight.
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
